On Wed, 22 Nov 2000, Luke Mewburn wrote:

: If you run ftpd with `-r', or bound to a port > 1024, or use `-P dataport' 
: with a port > 1024, ftpd will use setuid(pw->pw_uid) to irrevocably
: drop root privs. Of course, it breaks the RFC WRT the dataport being
: the ctrlport-1, but ...

Well, it wouldn't necessrily break the RFC if the bound port is >=1025.  
Provided the ctrlport-1 is free or only used by SO_REUSEPORT sockets.  :)

: Another solution is to have a central file descriptor broker daemon,
: which you communicate with via an authenticated AF_LOCAL socket.

The problems here are overhead (which simon pointed out), and
"authenticated".  Who authenticates it, given that ftpd will run as any user
capable of logging into the system.

: If this would work as a concept, and we had an API for this (in -lutil
: or wherever) could we even use it to solve the $HOSTALIASES problem for
: set-id programs?

Possibly, but there's still the issue of finding out who the original user
really was, if the program does one of those nice setuid(geteuid()) calls.

-- 
-- Todd Vierling <tv@wasabisystems.com>  *  http://www.wasabisystems.com/
-- Speed, stability, security, and support.  Wasabi NetBSD:  Run with it.